Government IT Leaders Wrestle With Security Risks

Charles McClam, deputy CIO at the Department of Agriculture, said that mission-critical applications in his organization are housed in data centers around the country, and the employees responsible for keeping them secure are considered exempted personnel, meaning that they would continue to work even in the event of a government shutdown.

"At this juncture I don't see anything that's going to be problematic [with] enterprise security," McClam said here at a government IT conference.

Naeem Musa, CISO at the Federal Energy Regulation Commission, said that his agency contracts much of its security and monitoring activities out to vendors in the private sector, which would be unaffected by a shutdown.

Congress has until the end of the month to approve legislation to keep the government running, though its ability to do so in that time frame is in serious doubt. As of this afternoon, the Senate appeared poised to pass a temporary spending bill, stripping out language to defund President Obama's health care reform bill that had been included in a measure passed by the House. But Republican leaders have signaled that they are unlikely to accept any bill the Senate passes without making their own changes, which could run out the clock on the month-end deadline, the Washington Post reported.

Federal Big Data Initiatives Bring Big Security Challenges

But even if federal IT managers don't see a great threat to their systems' security from a potential government shutdown, they still have plenty to keep them up at night. At Thursday's conference, officials described the security challenges that accompany big data initiatives, even as the government is trying to make more of its data sets publicly available rather than keeping them locked inside the federal firewall.

"Securing the data, even if it's public, it's open, you still have to protect the integrity of that data, make sure the data has not been changed and whatever you serve out there is accurate to the public," Musa said.

If anything, the drive toward open data might create additional security challenges as agencies understand that they can no longer simply apply a one-size-fits-all policy that sets closed as the default setting for their data assets. That means that they must adopt more nuanced security policies tailored to the nature of each data set, and yet still have some overarching protections as those assets become linked.

Kevin Charest, CISO at the Department of Health and Human Services, described the "war" that pits "the desire to share, the desire to bring these data sets together, against the responsibility that's associated."

"One of the challenges of bringing big data sets into one place is you inherit the insecurity of all. So you create almost like a shopping place for a would-be bad actor if you're not careful," he said. "So you have to balance that desire for openness, desire for collaboration, the willingness to move in new space with rationality of securing that data."

Security Challenges Come Quickly and Government Lacks Agility

The federal government is not known for its agility in adapting to new technologies, a condition that traces to its vast size, organizational culture and the rules surrounding new procurements and system deployments, among other factors. Small wonder then that federal officials see partnerships with private-sector firms as a critical element in improving the government's cybersecurity posture.

Count among those Agriculture's McClam, who challenged the IT vendors in the room at Thursday's conference to organize a formal, recurring confab that would bring together leaders in the public and private sectors to compare notes on evolving security trends.

"Technology evolves very, very fast," McClam said. "Look at ways to come up with some kind of semiannual forum, cybersecurity forum, where you have senior leadership of the various federal agencies as well as the leadership of the industry, our industry partners, coming together so we can stay apprised and stay on top of emerging security solutions, emerging security threats."

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com. Follow Kenneth on Twitter @kecorb. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.

Latest Videos

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.